dse.ldif

Directory Server configuration file

Synopsis

Location: instance-path/config/dse.ldif

Description

Directory Server stores its configuration as directory entries under cn=config. You can therefore change the server configuration by modifying configuration entries over LDAP, rather than by editing configuration files. Configuring Directory Server in this way allows you to reconfigure a remote server while it continues to serve other directory clients.

The dse.ldif file defines the configuration for a Directory Server instance. The dse.ldif file includes a set of entries under cn=config. These entries make up the modular parts of the Directory Server instance configuration.

Directory Server stores its schema under cn=schema, not as part of the rest of the server configuration. For an introduction to the schema available under cn=schema, see Intro_6Schema(5DSSD).

Note:

Neither the dse.ldif file nor the cn=config suffix constitute a public interface for configuring a Directory Server instance. Use dsconf(1M) instead.

The dse.ldif file has the following characteristics.

The dse.ldif file is read only once at startup. Thereafter, the server configuration is based on the in-memory LDAP image of the configuration entries. Modifications to the dse.ldif file while the server is running are erased.

Modification of the configuration with Directory Service Control Center or from the command line changes the LDAP image of the configuration. Some directory features read the current configuration when invoked and do not require the server to be restarted.

Directory Server writes the dse.ldif file whenever the LDAP image of the configuration is changed. Some directory features read their configuration only when the server starts. Writing the file ensures the change is present.

The existing dse.ldif file is copied to dse.ldif.bak, and the existing dse.ldif.bak is overwritten. Therefore, any manual changes to the dse.ldif file are lost if the configuration is changed through LDAP before the server is restarted.

After every successful startup of the directory, the dse.ldif file is copied to dse.ldif.startOK in the same location. If your server cannot start because of a faulty configuration, restore the dse.ldif file from the dse.ldif.startOK file.

The following restrictions apply to modifications to the server configuration.

Some modifications only take effect after the server is restarted. See ATTRIBUTES REQUIRING RESTART in the manual page for details.

The cn=monitor entry cannot be modified.

The server ignores invalid attribute values.

Extended Description

Directory Server has a modular configuration, with a number of distinct branches under the cn=config Directory Information Tree. The primary branches are below the following DNs.

cn=encryption,cn=config

Configuration attributes related to encryption

cn=features,cn=config

Access control for many server features, also configuration for internationalized matching and searching

Default replication bind information for cn=Replication Manager, also formerly used for replication configuration

cn=suffixName,cn=config

Suffix configuration attributes

cn=tasks,cn=config

Used by the server to manage online import, backup, and so forth

cn=uniqueid generator,cn=config

Configuration attributes for providing unique IDs

About Configuration Attributes

The dse.ldif file contains all configuration information including directory specific entries created by Directory Server at startup, and directory specific entries related to the database, also created by Directory Server at startup. The file includes the Root DSE, named by "", and the entire contents of cn=config. When the server generates the dse.ldif file, it lists the entries in hierarchical order. It does so in the order that the entries appear in the directory under cn=config.

Within a configuration entry, each attribute is represented as an attribute name. The value of the attribute corresponds to the attribute's configuration.

The following example shows part of the dse.ldif file for a Directory Server instance. The example indicates, among other things, that schema checking has been turned on. This is represented by the attribute nsslapd-schemacheck, which takes the value on.

See CONFIGURATION ATTRIBUTES in this manual page for a list of configuration attribute manual pages.

Access Control For Configuration Entries

When Directory Server is installed, a default set of Access Control Instructions, ACIs, is implemented for all entries under cn=config. The following extract from the dse.ldif file shows an example of these default ACIs.

By default, both the cn=Directory Manager user and the cn=admin,cn=Administrators,cn=config user have access to modify configuration entries. ACI syntax is covered elsewhere in the Directory Server Enterprise Edition documentation.

CONFIGURATION ATTRIBUTES

This section lists configuration attributes by their location in the configuration Directory Information Tree.

Attributes of cn=config

General configuration entries are stored under the cn=config entry. The cn=config entry is an instance of the nsslapdConfig object class, which inherits from the extensibleObject object class. For attributes to be taken into account by the server, the entry must contain the nsslapdConfig object class, the extensibleObject object class and the top object class.

Encryption related attributes are stored under the cn=encryption,cn=config entry. This entry is an instance of the nsEncryptionConfig object class. For encryption related attributes to be taken into account by the server, this object class, in addition to the top object class, must be present in the entry.

Configuration attributes for suffixes and replication are stored under the branch cn=mapping tree,cn=config.

Configuration attributes related to suffixes are found under the suffix subentry, which has a DN of the following form.

cn="suffixName",cn=mapping tree,cn=config

Suffix configuration entries therefore have CNs such as cn="dc=example,dc=com". Suffix configuration entries are instances of the nsMappingTree object class, which inherits from the extensibleObject object class. For suffix configuration attributes to be taken into account by the server, these object classes, in addition to the top object class, must be present in the entry. See the following man pages about suffix configuration entry attributes.

For instructions concerning legacy password policy functionality, see the Directory Server Migration Guide. Legacy password policy functionality is configured using entries of the object class described in passwordPolicy(5DSOC).

Plug-In Configuration Under cn=plugins

Many of the features of Directory Server are designed as discrete modules that plug into the core server. The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins,cn=config. The following example shows the configuration entry for the Telephone Syntax plug-in.

The following list shows the chained suffix attributes used for monitoring activity on instances. These attributes are stored under cn=monitor,cn=dbName, cn=chaining database,cn=plugins,cn=config.

nsAddCount

Number of add operations received.

nsDeleteCount

Number of delete operations received.

nsModifyCount

Number of modify operations received.

nsRenameCount

Number of rename operations received.

nsSearchBaseCount

Number of base level searches received.

nsSearchOneLevelCount

Number of one-level searches received.

nsSearchSubtreeCount

Number of subtree searches received.

nsAbandonCount

Number of abandon operations received.

nsBindCount

Number of bind requests received.

nsUnbindCount

Number of unbinds received.

nsCompareCount

Number of compare operations received.

nsOperationConnectionCount

Number of open connections for normal operations.

nsBindConnectionCount

Number of open connections for bind operations.

Database Plug-In Configuration

Database plug-in configuration entries are stored under cn=ldbm database,cn=plugins,cn=config. That entry is a server plug-in configuration entry for databases, and therefore takes the same attributes as other plug-in entries.

Configuration entries for default indexes. Notice that each individual attribute type indexed has its own entry, and that the attribute type is identified by common name, CN. See the following man pages concerning attributes for such entries.

Entry for read-only database performance monitoring attributes. All of the values for these attributes are 32-bit integers.

nsslapd-db-abort-rate

Number of transactions that have been aborted.

nsslapd-db-active-txns

Number of transactions that are currently active (used by the database.)

nsslapd-db-cache-hit

Requested pages found in the cache.

nsslapd-db-cache-region-wait-rate

Number of times that a thread of control was forced to wait before obtaining the region lock.

nsslapd-db-cache-size-bytes

Total cache size in bytes.

nsslapd-db-cache-try

Total cache lookups.

nsslapd-db-clean-pages

Clean pages currently in the cache.

nsslapd-db-commit-rate

Number of transactions that have been committed.

nsslapd-db-configured-locks

Configured number of locks.

nsslapd-db-configured-txns

Configured number of transactions.

nsslapd-db-current-locks

Number of locks currently used by the database.

nsslapd-db-deadlock-rate

Number of deadlocks detected.

nsslapd-db-dirty-pages

Dirty pages currently in the cache.

nsslapd-db-hash-buckets

Number of hash buckets in buffer hash table.

nsslapd-db-hash-elements-examine-rate

Total number of hash elements traversed during hash table lookups.

nsslapd-db-hash-search-rate

Total number of buffer hash table lookups.

nsslapd-db-lock-conflicts

Total number of locks not immediately available due to conflicts.

nsslapd-db-lockers

Number of current lockers.

nsslapd-db-lock-region-wait-rate

Number of times that a thread of control was forced to wait before obtaining the region lock.

nsslapd-db-lock-request-rate

Total number of locks requested.

nsslapd-db-log-bytes-since-checkpoint

Number of bytes written to this log since the last checkpoint.

nsslapd-db-log-flush-commit

The number of log flushes that contained a transaction commit record.

nsslapd-db-log-flush-count

The number of times the log has been flushed to disk.

nsslapd-db-log-max-commit-per-flush

The maximum number of commits contained in a single log flush.

nsslapd-db-log-min-commit-per-flush

The minimum number of commits contained in a single log flush that contained a commit.

nsslapd-db-log-region-wait-rate

Number of times that a thread of control was forced to wait before obtaining the region lock.

nsslapd-db-log-write-count

The number of times the log has been written to disk.

nsslapd-db-log-write-count-fill

The number of times the log has been written to disk because the in-memory log record cache filled up.

nsslapd-db-log-write-rate

Number of bytes written to the log since the last checkpoint.

nsslapd-db-longest-chain-length

Longest chain ever encountered in buffer hash table lookups.

nsslapd-db-max-locks

Maximum number of locks used by the database since the last startup.

nsslapd-db-max-txns

Maximum number of transactions used since the last startup.

nsslapd-db-page-create-rate

Pages created in the cache.

nsslapd-db-page-read-rate

Pages read into the cache.

nsslapd-db-page-ro-evict-rate

Clean pages forced from the cache.

nsslapd-db-page-rw-evict-rate

Dirty pages forced from the cache.

nsslapd-db-pages-in-use

All pages, clean or dirty, currently in use.

nsslapd-db-page-trickle-rate

Dirty pages written using the memp_trickle interface.

nsslapd-db-page-write-rate

Pages read into the cache.

nsslapd-db-txn-region-wait-rate

Number of times that a thread of control was force to wait before obtaining the region lock.

cn=dbName,cn=ldbm database,cn=plugins,cn=config

Configuration information for databases backing suffixes you define. The dbName is by default a contraction of the common name for the suffix. For example, if the suffix has CN cd=example,dc=com, the dbName might be example. See the following man pages concerning attributes for such entries.

A VLV index provides fast searches against a known result set and sort ordering. To do this, the object class vlvSearch is needed to define the VLV search, and the object class vlvIndex is needed to order the search. See the following manual pages for details on the VLV configuration entry object classes and attributes.

Percentage of requested pages found in the database cache, hits/tries.

dbcachepagein

Pages read into the database cache.

dbcachepageout

Pages written from the database cache to the backing file.

dbcacheroevict

Clean pages forced from the cache.

dbcacherwevict

Dirty pages forced from the cache.

DSML Front End Plug-In Configuration Attributes

The front end plug-in enables you to access directory data by methods other than LDAP. Directory Server provides a DSML front end plug-in that enables access using DSMLv2 over HTTP/SOAP. Attributes for the DSML front end plug-in are stored under cn=DSMLv2-SOAP-HTTP,cn=frontends,cn=plugins,cn=config. See the following manual pages for details.

All plug-ins are instances of the nsSlapdPlugin object class, which in turn inherits from the extensibleObject object class. For plug-in configuration attributes to be taken into account by the server, both of these object classes, in addition to the top object class, must be present in the entry.

See nsslapd-plugin(5DSCONF) for an overview of the plug-ins provided with Directory Server, including configurable options, configurable arguments, default setting, dependencies, general performance related information, and further reading.

Attributes of cn=uniqueid generator,cn=config

Unique ID generator configuration attributes are stored under the entry with DN cn=uniqueid generator,cn=config. The cn=uniqueid generator,cn=config entry is an instance of the extensibleObject object class. For unique ID generator configuration attributes to be taken into account by the server, this object class, in addition to the top object class, must be present in the entry.

This section lists configuration elements whose modifications cannot take effect dynamically, while the server is still running. After modifying these parameters, you must restart the server. The following list shoiws the configuration attributes concerned, with their full DNs, and provides a brief description of their functions.